Zen and the Art of SP1

Quality, not quantity: That seems to be the motto for Windows Server 2003 Service Pack 1 (SP1). Although SP1 includes several new features, Microsoft has concentrated on improving application compatibility without disrupting the operation of existing systems. The service pack's new functionality emphasizes that goal.

Attending to its core objective, SP1 includes a rollup of all the Windows 2003 patches and security updates that Microsoft has released since the OS first shipped in April 2003. The service pack addresses the top concerns that customers have reported through Microsoft Product Support Services (PSS) and Windows Error Reporting. Windows 2003 SP1 also adds several new security-oriented features. These changes are evolutionary, not revolutionary, and the kernel and core OS have the same code base as the original Windows 2003 OS.

Security Enhancements
Following Windows XP's lead, Windows 2003 SP1 includes built-in data execution prevention (DEP) technology. DEP is a set of hardware and software technologies designed to prevent buffer-overflow exploits. Windows 2003 SP1 provides both hardware- and software-based DEP. Hardware-based DEP, which will be supported on the AMD and Intel x64 processors, uses the CPU's ability to mark memory to indicate that the contents shouldn't be executed. Software-based DEP runs on any processor that supports Windows 2003 but protects only a limited set of system binaries.

Other important SP1 security enhancements include changes to remote procedure call (RPC) and Distributed COM (DCOM). To reduce the RPC attack surface, the service pack uses reduced credentials to run RPC objects. To accomplish this, Microsoft added new registry subkeys to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\RPC that let Windows 2003 restrict access to the RPC interface. The new RestrictRemoteClient subkey lets you modify the behavior of incoming RPC connections and eliminate anonymous remote access. The new EnableAuthEpResolution subkey restricts the accessibility of RPC endpoints.

The changes to DCOM are designed to reduce the risk of a network attack. DCOM enables remote execution of COM objects. Windows 2003 SP1 strengthens the authentication process required for DCOM to activate COM objects, letting you disable incoming DCOM calls.

Windows Firewall
One security-related enhancement that Microsoft took directly from the XP SP2 release is Windows Firewall. Don't mistake SP1's Windows Firewall as a replacement for Microsoft ISA Server 2004. ISA Server is installed at your network's edge and filters both incoming and outgoing traffic for all systems on the network—one ISA Server system can protect your entire internal LAN from external threats. In contrast, Windows Firewall is a host-based (i.e., personal) firewall that's designed to run on all the servers in your internal network and protect them from threats that originate outside the firewall as well as threats that originate in other systems on your LAN.

Like the XP version, the Windows 2003 SP1 firewall blocks only incoming traffic, not outgoing traffic. You can use the Network Connections dialog box to configure the firewall interactively, or you can configure it using Group Policy or the Netsh command. Windows 2003 SP1 automatically installs Windows Firewall, but to ensure maximum compatibility with existing applications, the firewall isn't enabled by default in an SP1 upgrade installation. If you use slipstreamed media (i.e., an installation CD-ROM that incorporates Windows 2003 SP1) to install a new Windows 2003 machine, Windows Firewall is automatically enabled and blocks all incoming traffic until you respond to the Post-Setup Security Updates (PSSU) dialog box, which I discuss later. This configuration protects the server while you perform the initial system update.

SP1's Windows Firewall works with both Ipv6 and Ipv4 traffic and lets you configure exceptions for your network applications. Microsoft recommends that you use the new Security Configuration Wizard (SCW) to configure the Windows 2003 SP1 firewall.

The SCW
The most important feature of Windows 2003 SP1, the SCW helps you reduce the attack surface of your Windows Server system. The SCW can

configure Windows Firewall to block ports

use IPsec to secure open ports

disable unnecessary services

disable unnecessary Microsoft IIS Web extensions

disable unnecessary protocols

configure audit settings

Considering the SCW's importance, it's ironic that the wizard isn't installed by default. Instead, in keeping with Microsoft's theme of minimal disruptions, the SP1 installation places the SCW icon on the desktop. Clicking that icon, however, only displays the SCW Help files; it doesn't install the wizard. To install it, you need to use Control Panel's Add/Remove Windows Components option, then select the SCW check box, as Figure 1 shows. The installation process adds the Security Configuration Wizard option to the Administrative Tools menu.

When you run the SCW, it prompts you with a series of dialog boxes to identify the role that the system performs. The set of SCW roles is extensive. The Security Configuration Database dialog box in Figure 2 shows an example of a role. Preconfigured roles are stored as XML files in the %winnt%\security\msscw\kbs directory. The security policies that you create are saved in the %winnt%\security\msscw\Policies directory. Because they're XML files, you can edit them and copy them to other servers. One cool SCW feature is its ability to create a Windows security policy from an existing server installation. Doing so lets you select a baseline system that you can configure the way you want and create a policy based on that system's settings that you can apply to other systems. To create a new policy based on an existing system, run the SCW and select the Create a new security policy option. Enter the name of the system you want to use as a model, complete the wizard steps, and save the policy.

The SCW can also roll back the security policies that you created with it. You can roll back a previously installed security policy by running the SCW, selecting the Rollback the last applied security policy option, and entering the name or IP address of the system for which you want to roll back the policy. This function lets you easily return your server to an earlier state if the policies don't work as expected. The SCW can also analyze existing systems to determine whether they're in compliance with your security policies. Windows 2003 SP1 includes the new scwcmd.exe command-line utility, which lets you apply SCW policies from administrative scripts or include a call to the scwcmd.exe utility in the cmdlines.txt file for unattended setup operations.

The PSSU
The PSSU dialog box automatically starts on your first logon unless you used Group Policy to explicitly enable Windows Firewall. Designed to protect the server from external attacks after you initially boot it, the PSSU prompts you to install the most recent system updates and blocks all inbound connections until you click Finish on the dialog box, which Figure 3 shows.

The PSSU offers a link to Windows Update and lets you configure Automatic Updates. If you reboot the system or cancel the PSSU, the dialog box automatically reopens when you restart the system. After you complete the initial setup and click Finish on the dialog box, the PSSU is no longer active.

IE and Other Minor Components
Although Microsoft Internet Explorer (IE) isn't a component you'd typically use in a server environment, because it's part of the OS, IE affects server installations. Considering the number of security problems IE has had, it's not surprising that Windows 2003 SP1 includes all the IE fixes that Microsoft introduced in XP SP2. Those changes and enhancements are numerous, but some of the most notable are

pop-up blocking—suppresses the display of pop-up windows

information bar—provides notification about blocked content

Add-on Manager—lets you control the add-ons that IE loads

Among the updated Windows 2003 SP1 nonserver-related components is the new Windows Media Player (WMP) 10, which contains security enhancements, and Microsoft Office Outlook Express, which can force mail rendering in plain text and block the rendering of images embedded in email messages.

Deploy the Service Pack on Your Systems
Windows 2003 SP1 provides essential OS fixes and security-related enhancements that should be deployed on all Windows 2003 systems. The PSSU, SCW, and Windows Firewall would benefit all installations. I had no trouble with any of the SP1 installations that I performed. I didn't run into any application-incompatible problems or other unexpected problems. I appreciated the unobtrusive way that Microsoft added the new features to the system, which put me in control of both how and whether to use them.